PCI Scope Reduction Using Tokenization for Security Assessors

Yesterday, we presented a webinar that guides QSAs through the assessment of a tokenization implementation, from providing a general overview of tokenization to highlighting what to look for when evaluating specific PCI controls. If you weren’t able to join us, or if you’d like to download it to view again, you can find it here. We also produced an ebook to supplement the webinar, which can be downloaded here. We encourage you to use both as resources for yourself and for sharing with customers and fellow assessors alike.

Four Takeaways

To summarize the presentation and its related collateral, we compiled four main takeaways valuable to all security assessors.

Tokenization doesn’t adversely affect a QSA’s business

Some QSAs may be concerned that a solution which aims to reduce PCI scope could also reduce the need for assessment. Although PCI tokenization does reduce scope, it does not remove the need to evaluate a merchant’s people and processes for PCI compliance – these responsibilities can’t be outsourced to the tokenization provider.

Tokenization implementations hinge on accurate QSA artifacts

Again, regardless of a solution’s potential effectiveness or how much it reduces scope, it still needs to be audited to ensure cardholder data is not in fact entering a merchant’s environment. Additionally, as businesses grow, develop, implement new technologies and deprecate old ones, regular assessments will be required to maintain proper data flows and ensure continued compliance.

Tokenization is powerful, flexible and cost-effective

Being compliant doesn’t necessarily mean being secure. However, cloud-based tokenization achieves both by reducing PCI scope and storing clients’ sensitive data in a secure cloud-based token vault. The simplicity and flexibility of this solution eases the burden on both the QSA and merchant, while doing so in a manner that’s more affordable than other options.

Tokenization solutions address more than just compliance

In addition to reducing scope and meeting requirements, tokenization is extremely secure – even in the event of a breach – easy to integrate and supportive of vital business intelligence operations.

Additional information included in the collateral mentioned above:

• Overview of the PCI Data Security Standard
• Methods for Achieving PCI Compliance
• Analysis of the Tokenization Landscape
• Why Tokenization Matters to Your Customers
• How to Evaluate Tokenization Providers
• Tokenization Implementation Pitfalls
• Frequently Asked Questions and Best Practices

TokenEx understands the difficulty and importance of the work performed by PCI security assessors – our co-founders are former QSAs. That’s why we created these resources to help QSAs through the complex and nuanced process of evaluating a tokenization implementation.

For additional information, please contact us directly at sales@tokenex.com. We’d be happy to answer any questions you have about TokenEx, our platform or how familiarity with tokenization can help your organization and your customers.

Topic(s): PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog